Gate Research’s latest Web3 industry security report shows that in February, there were 15 security incidents with a total loss of $1.676 billion. The types of incidents were diverse, account hacks and contract vulnerabilities being the main threats, accounting for 58.3% of the total losses. The report provides detailed analysis of key security incidents, including Bybit exchange experiencing wallet theft, Infini lacking strict permission controls, and zkLend encountering contract vulnerabilities. Account hacking and contract vulnerabilities were identified as the major security risks this month, highlighting the necessity for the industry to continuously strengthen security measures.

Abstract

• In February 2025, the Web3 industry experienced 15 security incidents, resulting in total losses of $1.676 billion, a significant increase compared to the previous month.
• This month’s security incidents primarily involved contract vulnerabilities and account hacks, accounting for 53.3% of total losses in the crypto industry.
• Looking at the distribution of security incidents across different chains, three projects suffered losses on the BSC blockchain.
• Major incidents this month included Bybit exchange experiencing wallet theft (loss of $1.5 billion), Infini lacking strict permission controls (loss of $50 million), and ionic facing a social engineering attack (loss of $12.3 million).

Security Incident Overview

According to SlowMist data, February 2025 recorded 15 security incidents with losses of $1.676 billion. Attacks primarily involved contract vulnerabilities, account hacking, and other methods. Compared to January 2025, the total loss amount increased 18-fold month-over-month. Contract vulnerabilities and account hacking were the main causes of attacks, with 8 related hacking incidents occurring, accounting for 53.3% of the total. Official X accounts remained primary targets for hackers. [1]

This month’s distribution of security incidents across public blockchains shows that three projects—BankX, Cashverse, and Four.Meme—were all within the BSC ecosystem, with cumulative losses exceeding $330,000. This series of incidents indicates that the security of public chain ecosystem projects urgently needs strengthening. Facing frequent attacks and vulnerabilities, BSC should place greater emphasis on smart contract auditing, risk control mechanisms, and on-chain monitoring measures to enhance overall security standards.

Several blockchain projects suffered major security incidents this month, resulting in significant financial losses. Notable incidents include Bybit exchange’s wallet theft ($1.5 billion loss), Infini’s lack of strict permission controls ($50 million loss), and zkLend’s contract vulnerabilities ($9.6 million loss).

Major Security Incidents in February

According to official disclosures, the following projects suffered losses exceeding $1.56 billion in February. Lack of strict permission controls and wallet theft were the two primary threats.

• Bybit experienced a $1.5 billion fund outflow, allegedly by the North Korean hacker group Lazarus Group who tampered with Safe{Wallet} frontend code and forged signature interfaces, bypassing Bybit’s multi-signature mechanism to control its Ethereum cold wallet.
• Infini suffered a $50 million loss due to lack of strict permission controls. Attackers successfully obtained a wallet with administrator privileges and used these permissions to perform unauthorized operations.
• ionic lost $12.3 million when attackers deployed counterfeit Lombard BTC (LBTC) token contracts and used them as collateral to borrow various assets on the ionic platform.

Bybit

Project Overview:
Bybit, established in March 2018, is a leading cryptocurrency exchange. Known for its innovative technology and excellent trading experience, Bybit is committed to becoming the most trusted exchange in the emerging digital asset market.

Incident Overview:
On February 21, Bybit lost 499,000 ETH (approximately $1.5 billion) due to wallet theft, marking the largest single theft in crypto industry history. Investigations indicate the attack was likely perpetrated by the North Korean hacker group Lazarus Group. Their primary method involved tampering with Safe{Wallet} frontend code and forging signature interfaces, bypassing Bybit’s multi-signature mechanism to ultimately control their Ethereum cold wallet and transfer substantial funds to anonymous addresses.

According to SlowMist security team analysis, the hackers first deployed malicious contracts, then infiltrated the Safe{Wallet} server, tampered with the frontend code, and replaced JavaScript files. This caused users to unknowingly sign transactions containing embedded malicious logic during transaction construction. Through this sophisticated technique, the attackers successfully circumvented Bybit’s multi-signature verification mechanism and completed the theft. [2][3]

Post-Incident Recommendations:

• Upgrade multi-signature wallet security architecture: Upgrade Safe contracts to version 1.3.0 or higher, enable Guard mechanisms to strictly limit transaction permissions; implement multi-signature+MPC+HSM cold wallets to store over 90% of assets, dynamically adjust hot wallet limits, and combine sharding with geographically distributed key storage to prevent single points of failure from causing global losses.
• Enhance account security to prevent unauthorized access: Enable two-factor authentication (2FA), implement address whitelisting, and integrate AI transaction behavior monitoring to prevent unauthorized account access by hackers.
• Promote industry-wide security alliances: Establish a hacker attack intelligence database and promote security alliances between exchanges, on-chain analysis companies, and DeFi platforms to create rapid response mechanisms and reduce hackers’ escape routes.

Infini

Project Overview:
Infini is a new type of stablecoin bank focused on cryptocurrencies. The company uses smart contracts and blockchain technology to provide users with decentralized financial services, supporting features such as deposits, loans, and payments.

Incident Overview:
On February 24, due to a lack of strict permission controls, attackers successfully obtained a wallet with administrator privileges and used these permissions to perform unauthorized operations, stealing nearly $50 million in funds. The key vulnerabilities were the smart contract’s lack of strict permission management—which allowed attackers to directly control critical operations—and the administrator account’s failure to implement sufficient multi-signature or permission isolation measures. This meant that once a single wallet was compromised, the entire system could be controlled. [4]

Post-Incident Recommendations:

• Strengthen permission management: Implement multi-signature requirements to ensure that key transactions require multiple private keys for approval, rather than being controlled by a single administrator account.
• Enhance security mechanisms: Upgrade smart contract security and use decentralized governance mechanisms to reduce dependence on single administrator accounts.
• Code audits and real-time monitoring systems: Engage professional blockchain security companies (such as CertiK, SlowMist) to conduct comprehensive audits of smart contracts and monitor abnormal fund movements, with automatic fund freezing when suspicious activities occur.

ionic

Project Overview:
ionic is a lending protocol based on the Mode ecosystem, providing permissionless liquidity markets that allow users to borrow using various assets as collateral. Leveraging Mode’s low fees and scalable features, it has attracted many DeFi users.

Incident Overview:
On February 5, ionic suffered a social engineering attack, resulting in losses of approximately $8.8 million. The attackers deployed counterfeit Lombard BTC (LBTC) token contracts and used them as collateral to borrow various assets on the ionic platform, including MBTC, uniBTC, wrsETH, WETH, and STONE. Starting with initial funds of just 0.01 ETH, the attackers illegally acquired substantial assets through this method and laundered them via Tornado Cash. [5]

Post-Incident Recommendations:

• Strengthen collateral asset verification: Implement on-chain asset certification for all non-mainstream collaterals, filtering potential fraudulent tokens through oracle and reputation scoring mechanisms.
• Add whitelist mechanisms to smart contracts: Restrict collateral to officially approved assets only, and adopt dynamic risk scoring to prevent malicious contracts from forging collateral assets.
• Real-time monitoring and early warning systems: Establish real-time monitoring mechanisms to promptly detect and respond to abnormal activities.

Summary

In February 2025, multiple DeFi and CeFi platforms faced security vulnerability attacks, resulting in hundreds of millions of dollars in asset losses. These incidents included the Bybit exchange hack, Infini’s lack of strict permission controls, and ionic falling victim to a social engineering attack. The events exposed critical risks in cryptocurrency platforms regarding security, smart contract code auditing, and risk management. The industry urgently needs to strengthen smart contract auditing, implement real-time monitoring, and introduce multi-layered protection mechanisms to enhance platform security and user trust. Gate.io reminds users to remain vigilant and take necessary precautions to protect their funds.


References:

1. Slowmist,https://hacked.slowmist.io/zh/statistics
2. X,https://x.com/benbybit/status/1894768736084885929
3. SlowMist,https://slowmist.medium.com/slowmist-hacker-techniques-and-questions-behind-bybits-nearly-1-5-billion-theft-09f0b59da2e2
4. X,https://x.com/0xinfini/status/1893973307596435871
5. X,https://x.com/wublockchain12/status/1886953752973992438

Gate Research
Gate Research is a comprehensive blockchain and cryptocurrency research platform that delivers in-depth content. This includes technical analysis, hot topic insights, market reviews, industry research, trend forecasts, and macroeconomic policy analysis.

Click here to visit now

Disclaimer
Investing in the cryptocurrency market involves high risk, and it is recommended that users conduct independent research and fully understand the nature of the assets and products they are purchasing before making any investment decisions. Gate.io is not responsible for any losses or damages caused by such investment decisions.